Fresh Tracks Therapeutics, Inc. - (FRTX)
10-K Filing Date: March 15, 2024
ITEM 1C. CYBERSECURITY
Risk Management and Strategy
We use a “cloud-only” environment for our information systems; there is no central access point that provides access to all software and related data. We use third-party clinical research organizations (“CROs”) to manage all patient-related data and review their cybersecurity procedures as part of vendor evaluation. Our employees do not have access to any patient-identifiable data.
20
The Company has an IT Security Policy that establishes IT security and rules for the Company. This policy covers both good practice quality guidelines and regulations (“GxP”) and non-GxP IT systems. With the assistance of a senior IT consultant, management has evaluated the potential cyber risk associated with each of our information systems, both internal and external, taken appropriate steps to mitigate risks, and assigned specific tasks to our Cyber Incident Response Team members in case of a cyber incident. Our Cyber Incident Response Team currently consists of all remaining members of management.
Our cybersecurity environment emphasizes the role of each individual user in preventing a cyber incident. We have implemented required monthly video-based cybersecurity training. All users are tested on each training module. This training is supplemented by “test” phishing messages to see if users are alert to cyber risks.
While we have experienced cybersecurity incidents and expect to continue to be subject to such incidents, to date, we have not experienced any cybersecurity incidents that have materially affected our business strategy, results of operations or financial condition. However, we are subject to ongoing risks from cybersecurity threats that could materially affect us, as further described in Part I, Item 1A, “Risk Factors” in this Annual Report.
Governance
The Board is responsible for general risk oversight. The Board reviews and evaluates management’s evaluation and mitigation of cyber risks as part of its oversight of the Company’s Risk Management program. Management periodically reviews cyber risks, incidents, and risk mitigation plans and activities with the Board.
In addition to recommendations from our senior IT consultant, we engaged an outside consulting firm to conduct a review of our information systems environment and make recommendations to improve security where appropriate. Management shared the report’s findings with the Board and periodically updates the Board regarding our progress on implementing the report’s recommendations.